Skip to main content

Image Carousel EUVDEUVD-2025-210360

| CVE-2025-68074 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 audit@patchstack.com GHSA-c6cp-9jv3-vfhh
6.5
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

PR:L reflects mandatory contributor authentication; S:C captures cross-session browser impact; A:N because stored XSS does not directly impair availability of the WordPress server or plugin.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 16:04 vuln.today

DescriptionCVE.org

Contributor Cross Site Scripting (XSS) in Image Carousel <= 1.0.0.41 versions.

AnalysisAI

Stored Cross-Site Scripting in the Image Carousel WordPress plugin (versions <= 1.0.0.41) allows authenticated contributors to inject persistent malicious JavaScript into carousel elements. When a higher-privileged user such as an administrator views the affected content, the injected script executes in their browser context, enabling session hijacking or unauthorized administrative actions. No active exploitation or public exploit code has been identified at time of analysis, and the attack is bounded by the requirement for contributor-level access and victim interaction.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation) identifies the root cause as insufficient sanitization or output escaping of contributor-supplied input before it is rendered in HTML. The Image Carousel WordPress plugin allows users with the contributor role to embed image carousels via shortcodes or block editor fields. The vulnerability arises because one or more plugin input fields fail to properly escape user-controlled values on output, allowing raw script tags or event handler attributes to be stored and later reflected into page HTML. The CVSS scope change metric (S:C) confirms this is a stored XSS that crosses trust boundaries - payload injected by a low-privilege contributor is later executed in the higher-privilege browser context of an editor or administrator. No CPE string was provided in the available intelligence, but the affected software is the 'Image Carousel' plugin for WordPress hosted in the WordPress.org plugin repository.

RemediationAI

Update the Image Carousel WordPress plugin to the latest version available in the WordPress plugin repository - verify via the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/image-carousel/vulnerability/wordpress-image-carousel-plugin-1-0-0-41-cross-site-scripting-xss-vulnerability that a patched version beyond 1.0.0.41 has been released, as an exact fix version is not confirmed in the available data. If no patch is yet available, the most effective compensating control is to deactivate the Image Carousel plugin entirely until a fix is confirmed, accepting the trade-off of losing carousel functionality. Alternatively, restrict the WordPress contributor role exclusively to fully trusted users and audit existing contributor accounts, as this closes the primary attack vector without requiring plugin removal. Enabling a Web Application Firewall (WAF) rule targeting XSS patterns - such as those offered by Patchstack, Wordfence, or Cloudflare - provides an additional layer of defense but should not be treated as a substitute for patching.

Share

EUVD-2025-210360 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy